Drago Rotaru and Tim Wood University of Bristol, KU Leuven * - PowerPoint PPT Presentation

INDOCRYPT 2019 MArBled Circuits: Mixing Arithmetic and Boolean Circuits with Active Security* Dragoș Rotaru and Tim Wood University of Bristol, KU Leuven * https://ia.cr/2019/207 Dragoș Rotaru 1 imec-Cosic, Dept. Electrical Engineering

What is multiparty computation? a c b Goal : Compute F(a, b, c) Dragos Rotaru 2 Dragoș Rotaru 2 imec-Cosic, Dept. Electrical Engineering

How can we achieve MPC? Secret Sharing Garbled Circuits Fast networks (LAN) Slow Networks (WAN) Arithmetic/Boolean circuits Boolean circuits Low depth, many AND gates* Large depth, few AND gates* Dragoș Rotaru 3 imec-Cosic, Dept. Electrical Engineering

Why switch between? Sint A, x, b y = A * x + b E = argmax(y) Secret Sharing Garbled Circuits Fast networks (LAN) Slow Networks (WAN) Arithmetic/Boolean circuits Boolean circuits Low depth, many AND gates* Large depth, few AND gates* Dragoș Rotaru 4 imec-Cosic, Dept. Electrical Engineering

Why switch between? Sint A, x, b y = A * x + b E = argmax(y) E = argmax(y) Secret Sharing Garbled Circuits Fast networks (LAN) Slow Networks (WAN) Arithmetic/Boolean circuits Boolean circuits Low depth, many AND gates* Large depth, few AND gates* Dragoș Rotaru 5 imec-Cosic, Dept. Electrical Engineering

Can we switch between? A (GMW mod 2 𝑙 ) Yao GC – mod 2 B (GMW mod 2) ABY [DSZ’15] Dragoș Rotaru 6 imec-Cosic, Dept. Electrical Engineering

Can we switch between? A (GMW mod 2 𝑙 ) Yao GC – mod 2 B (GMW mod 2) ABY [DSZ’15] ABY3 [MR’18] Dragoș Rotaru 7 imec-Cosic, Dept. Electrical Engineering

Can we switch between? A (GMW mod 2 𝑙 ) Yao GC – mod 2 B (GMW mod 2) ABY [DSZ’15] ABY3 [MR’18] Dragoș Rotaru 8 imec-Cosic, Dept. Electrical Engineering

What about dishonest majority? Dragoș Rotaru 9 imec-Cosic, Dept. Electrical Engineering

What about dishonest majority? WRK’17 SPDZ Dragoș Rotaru 10 imec-Cosic, Dept. Electrical Engineering

What about dishonest majority? Naive >110K ANDs WRK’17 SPDZ Dragoș Rotaru 11 imec-Cosic, Dept. Electrical Engineering

What about dishonest majority? Naive >110K ANDs WRK’17 SPDZ >110K ANDs Dragoș Rotaru 12 imec-Cosic, Dept. Electrical Engineering

What about dishonest majority? Naive <1K ANDs WRK’17 SPDZ 0 ANDs Dragoș Rotaru 13 imec-Cosic, Dept. Electrical Engineering

How general is this? 𝐆 𝑞 SPDZ SPDZ-BMR WRK’17 HSS’17 𝐚 2 𝑙 SPDZ Dragoș Rotaru 14 imec-Cosic, Dept. Electrical Engineering

How general is this? 𝐆 𝑞 SPDZ SPDZ-BMR WRK’17 HSS’17 𝐚 2 𝑙 SPDZ Very fast using DEFKSV’19 tricks Dragoș Rotaru 15 imec-Cosic, Dept. Electrical Engineering

How general is this? 𝐆 𝑞 SPDZ SPDZ-BMR WRK’17 HSS’17 𝐚 2 𝑙 SPDZ Dragoș Rotaru 16 imec-Cosic, Dept. Electrical Engineering

How general is this? 𝐆 𝑞 SPDZ SPDZ-BMR WRK’17 HSS’17 𝐚 2 𝑙 SPDZ Any honest majority protocol Dragoș Rotaru 17 imec-Cosic, Dept. Electrical Engineering

Our focus 𝐆 𝑞 SPDZ SPDZ-BMR WRK’17 HSS’17 𝐚 2 𝑙 SPDZ Dragoș Rotaru 18 imec-Cosic, Dept. Electrical Engineering

Malicious MPC protocols Preprocessing Online phase phase PKC Inputs SPDZ, TinyOT, BDOZa , MASCOT, WRK’17, HSS’17, … Dragoș Rotaru 19 imec-Cosic, Dept. Electrical Engineering

Let’s talk about 𝐆 𝑞 SPDZ Dragoș Rotaru 20 imec-Cosic, Dept. Electrical Engineering

SPDZ online phase 𝐆 𝑞 SPDZ + + α 1 α 2 α α 3 = 𝑦 3 𝑦 1 𝑦 2 + + = 𝑦 + γ(𝑦) 1 + α 𝑦 γ(𝑦) 2 γ(𝑦) 3 = Dragoș Rotaru 21 imec-Cosic, Dept. Electrical Engineering

SPDZ online phase 𝐆 𝑞 SPDZ + + α 1 α 2 α α 3 = + + 𝑦 1 + 𝑧 1 𝑦 2 + 𝑧 2 𝑦 3 + 𝑧 3 𝑦 + 𝑧 = + + γ x 1 + γ y 1 γ x 2 + γ y 2 γ x 3 + γ y 3 α ( 𝑦 + 𝑧) = Dragoș Rotaru 22 imec-Cosic, Dept. Electrical Engineering

SPDZ online phase 𝐆 𝑞 SPDZ ← X 𝐵 X 𝐵 Retrieve a random mask Input Dragoș Rotaru 23 imec-Cosic, Dept. Electrical Engineering

SPDZ online phase 𝐆 𝑞 SPDZ ← X 𝐵 X 𝐵 Input Dragoș Rotaru 24 imec-Cosic, Dept. Electrical Engineering

SPDZ online phase 𝐆 𝑞 SPDZ ← X 𝐵 X 𝐵 Input ← x x Open Dragoș Rotaru 25 imec-Cosic, Dept. Electrical Engineering

SPDZ online phase 𝐆 𝑞 SPDZ ← X 𝐵 X 𝐵 Input ← x x Open MAC Check Dragoș Rotaru 26 imec-Cosic, Dept. Electrical Engineering

SPDZ online phase 𝐆 𝑞 SPDZ ← X 𝐵 X 𝐵 Input ← x x Open  ← XOR Retrieve a Beaver triple z x y Dragoș Rotaru 27 imec-Cosic, Dept. Electrical Engineering

SPDZ online phase 𝐆 𝑞 SPDZ ← X 𝐵 X 𝐵 Input ← x x Open MAC Check  ← XOR z x y Dragoș Rotaru 28 imec-Cosic, Dept. Electrical Engineering

Let’s talk about 𝐆 2 BMR[MASCOT] Dragoș Rotaru 29 imec-Cosic, Dept. Electrical Engineering

SPDZ online phase BMR 𝐆 2 A B AND AND C A B C Dragoș Rotaru 30 imec-Cosic, Dept. Electrical Engineering

SPDZ online phase SPDZ-BMR BMR 𝐆 2 𝐆 2 A B AND AND C MAC Check Λ 𝑑 ←C + λ 𝑑 Λ 𝐵 ← A + λ 𝑏 Λ 𝐶 ← B + λ 𝑐 Dragoș Rotaru 31 imec-Cosic, Dept. Electrical Engineering

SPDZ online phase BMR 𝐆 2 A B AND AND C MAC Check Λ 𝑑 ←C + λ 𝑑 Λ 𝐵 ← A + λ 𝑏 Λ 𝐶 ← B + λ 𝑐 Inputs - cheap XOR - free Mod p arithmetic - some AND gates Dragoș Rotaru 32 imec-Cosic, Dept. Electrical Engineering

Main idea: 𝐆 𝑞 𝐆 2 SPDZ BMR x x x Dragoș Rotaru 33 imec-Cosic, Dept. Electrical Engineering

Main idea: 𝐆 𝑞 𝐆 2 SPDZ BMR x x x r Dragoș Rotaru 34 imec-Cosic, Dept. Electrical Engineering

Main idea: 𝐆 𝑞 𝐆 2 SPDZ BMR x x - x-r x r Open SPDZ – MAC Check Dragoș Rotaru 35 imec-Cosic, Dept. Electrical Engineering

Main idea: 𝐆 𝑞 𝐆 2 SPDZ BMR x x - + r x x-r x r Dragoș Rotaru 36 imec-Cosic, Dept. Electrical Engineering

Main idea: 𝐆 𝑞 𝐆 2 SPDZ BMR x x - + r x x-r x r We formalize this, plug in any LSSS and GC. Dragoș Rotaru 37 imec-Cosic, Dept. Electrical Engineering

Introducing daBits Dragoș Rotaru 38 imec-Cosic, Dept. Electrical Engineering

Introducing daBits 𝐆 𝑞 SPDZ BMR 𝐆 2 𝒄 𝑩 𝒄 𝑪 𝒄 𝑫 Dragoș Rotaru 39 imec-Cosic, Dept. Electrical Engineering

Introducing daBits 𝐆 𝑞 SPDZ BMR 𝐆 2 SPDZ Input BMR Input 𝒄 𝑩 𝒄 𝑪 𝒄 𝑫 Dragoș Rotaru 40 imec-Cosic, Dept. Electrical Engineering

Introducing daBits 𝐆 𝑞 SPDZ BMR 𝐆 2 SPDZ Input BMR Input 𝒄 𝑩 𝒄 𝑩 𝒄 𝑪 𝒄 𝑪 𝒄 𝑫 𝒄 𝑫 Dragoș Rotaru 41 imec-Cosic, Dept. Electrical Engineering

Introducing daBits 𝐆 𝑞 SPDZ BMR 𝐆 2 SPDZ Open BMR Open 𝒄 𝑩 𝒄 𝑩 𝒄 𝑪 𝒄 𝑪 𝒄 𝑫 𝒄 𝑫 Dragoș Rotaru 42 imec-Cosic, Dept. Electrical Engineering

Introducing daBits 𝐆 𝑞 SPDZ BMR 𝐆 2 SPDZ XOR BMR XOR 𝒄 𝑩  𝒄 𝑪  𝒄 𝑫 𝒄 𝑩  𝒄 𝑪  𝒄 𝑫 Dragoș Rotaru 43 imec-Cosic, Dept. Electrical Engineering

Introducing daBits 𝐆 𝑞 SPDZ BMR 𝐆 2 SPDZ Open BMR Open 𝒄 𝑩  𝒄 𝑪  𝒄 𝑫 𝒄 𝑩  𝒄 𝑪  𝒄 𝑫 Dragoș Rotaru 44 imec-Cosic, Dept. Electrical Engineering

daBit cost BMR[MASCOT] SPDZ Dragoș Rotaru 45 imec-Cosic, Dept. Electrical Engineering

SVM Example in MP-SPDZ Dragoș Rotaru 46 imec-Cosic, Dept. Electrical Engineering

SVM Example in MP-SPDZ Dragoș Rotaru 47 imec-Cosic, Dept. Electrical Engineering

daBit 2.0 Dragoș Rotaru 48 imec-Cosic, Dept. Electrical Engineering

daBit 2.0 ➢ Inspired from DEFKSV’19 𝐚 2 𝑙 𝐆 2 Dragoș Rotaru 49 imec-Cosic, Dept. Electrical Engineering

daBit 2.0 ➢ Inspired from DEFKSV’19 𝐚 2 𝑙 𝐆 2 𝐆 𝑞 𝐆 2 Dragoș Rotaru 50 imec-Cosic, Dept. Electrical Engineering

daBit 2.0 Local mod 2 ➢ Inspired from DEFKSV’19 𝐚 2 𝑙 𝐚 2 𝑙 𝐆 2 𝐆 2 𝐆 𝑞 𝐆 2 Dragoș Rotaru 51 imec-Cosic, Dept. Electrical Engineering

daBit 2.0 𝐆 𝑞 𝐆 2 SPDZ[p].Random() 𝒄 1 𝒄 𝑜 … 𝒔 1 𝒔 𝑡 … 𝑩 𝑩 𝑪 𝑪 𝒄 1 𝒄 𝑜 𝒄 1 𝒄 𝑜 TinyOT.Input() mod 2 mod 2 mod 2 mod 2 … … 𝑩 𝑪 𝑪 𝑩 𝒔 1 … 𝒔 𝑡 𝒔 1 𝒔 𝑡 mod 2 … mod 2 mod 2 mod 2 Dragoș Rotaru 52 imec-Cosic, Dept. Electrical Engineering

daBit 2.0 𝐆 𝑞 𝐆 2 SPDZ[p].Random() 𝒄 1 𝒄 𝑜 … 𝒔 1 𝒔 𝑡 … 𝑩 𝑩 𝑪 𝑪 𝒄 1 𝒄 𝑜 𝒄 1 𝒄 𝑜 TinyOT.Input() mod 2 mod 2 mod 2 mod 2 … … 𝑩 𝑪 𝑪 𝑩 𝒔 1 … 𝒔 𝑡 𝒔 1 𝒔 𝑡 mod 2 … mod 2 mod 2 mod 2 𝑩 mod 2 𝑪 mod 2 𝒄 𝟐 𝒄 1 𝒄 1 xor xor 1 𝒔 𝑗 𝒄 1 𝒄 𝑜 𝒔 𝑗 𝒄 1 𝒄 𝑜 Take s linear combinations and … … Dragoș Rotaru 53 imec-Cosic, Dept. Electrical Engineering